Prior to MVC5 I've heard of / been able to reproduce an issue in the past where the Thread.CurrentPrincipal is not always set correctly when using async operations. Here's one blog post that discusses the issue: http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx
Now I've set up authentication in a new Web API project using OWIN middleware on .NET 4.5.2 (using a token auth provider). The Web API's controllers are made up of mostly async operations which call into another business layer assembly. I would like to use the ClaimsPrincipalPermission attributes to secure invocation into this assembly's methods. This attribute works with a ClaimsAuthorizationManager which checks access. I assume under the covers this uses Thread.CurrentPrincipal, and so I'm skeptical as to whether or not I'm going to run into the same issue where the Thread.CurrentPrincipal does not match that of the original Web API's caller.
Am I likely to experience this same issue? So far I have not reproduced it, but I am not convinced the problem is actually solved. I think it is more likely I have just not yet been able to reproduce a problem that is still there.
References: